Cyber crime: “It’s about the suffix crime, not the prefix cyber”

“We’re seeing 66,000 pieces of malware a day according to FireEye data; last year it was 20,000 a day and two years ago it was only 5,000 a day,” said Robert Lentz, President of Cyber Security Strategies and former CISO for the U.S. DoD at the Cyber Defence and Network Security conference in London.

The issue of cyber crime, cyber terrorism, and, dare I say it, cyber war, is becoming increasingly prevalent today and it shows no signs of slowing down anytime soon. Listening to Lentz it’s easy to see why. Indeed, Maajid Nawaz, Chairman of the Quilliam Foundation, said it’s only “going to get worse.”

“The defining change of our generation”

Cyber security has become, in many respects, just a buzzword. However, the threats hiding behind it are very real, and not least when a digital threat is turned into a physical attack.

“I’m not being melodramatic … but the reality is cyber threats will lead to lead to physical attacks,” said Lentz.

There are countless scenarios in which this could emerge. Hacking into a hospital’s network and altering a patient’s medical records would be considered an assassination. Hacking into a nation’s nuclear weapons system and fiddling with the delicate balance of its reactors could be considered an act of cyber war….ah, wait a minute….oh yes, Stuxnet.

Cyber war itself is an issue of particular contention. What is it? How do you define it? Does it even exist as a tangible entity or is it just a term dreamed up in an attempt to describe an ethereal concept?

Dick Crowell of the U.S. Navy War College has a thoughtful response to this. “I don’t believe there will ever be a thing which we can call a ‘Cyber War’ … but I think cyber warfare tactics will be employed in all future conflicts.” That is an important distinction because it suggests that in the future a conflict will not be defined by a single strategy; the onset of the threat from cyberspace is shifting the battlespace to a point where the lines between peace and war become blurred.

The trouble is with the term itself: ‘War’ has become convoluted over the past half century, it is used more as an evocative term than a descriptive one. Technically the US has not been at ‘War’ since 1945, it has instead been involved in supposed peacekeeping missions and counter-insurgency operations.

Shaw explained that: “The word war has lost all its meaning; it’s now only relevant in political theory, not as an operational term.”

Cyber hygiene: Managing the threat

“The growth of the internet is the defining change of this generation,” said Mark Field MP, a member of the Intelligence and Security Committee. Learning how to manage and mitigate the threats it poses will need to be the next.

“The reality is we can’t keep the bad guys out of our networks,” said Lentz. This means we need to improve our resiliency; we need to figure out how to ensure networks remain online and operational even during a cyber attack, Lentz explained.

For Lentz, the most effective response to this is to employ offensive cyber tactics. He called for key government and industry actors to conduct more drills, exercises and live operations as a way of preventing the advanced persistent threat.

For the military at least, the perception of ‘cyberspace’ has to change for this to become a reality. “We need to think about cyberspace as an operational domain, just like the land, sea and air domains,” said Lieutenant General Rhett Hernandez, Commander at U.S. Army’s Cyber Command.

Here, Lentz and Hernandez agree that changes must be implemented at the ground level. “We need to focus on the training dimension,” said Lentz. Hernandez shares this sentiment: “We need to think differently about recruiting and training.”

Staying safe online

Moving this argument forward, Major General Shaw, Commander at the MoD’s UK Cyber Policy and Plans Team, stated that “education offers the only response to preventing attacks.”

But that leads to an important question: Whose responsibility is it?

Should the government be the ones to educate the public about ‘staying safe online’ and legislate to protect against cyber criminals? More specifically is it a military or government services concern? Should industry be more accountable? Or is it up to the individual and the individual alone?

There’s no simple answer, but there’s little doubt government should be taking a more proactive approach. Whitehall has produced a Staying Safe Online campaign, but Shaw postulates that only about 1% of the UK population has actually set eyes on it (let alone heard of it) because it was not a promoted campaign. The THINK! Seatbelt campaign worked in 1973 because the government put its weight behind it, it was well promoted and reached the targeted demographic. At the moment the government is doing little more than going through the motions regarding cyber security – the ‘Great Get Along’ as Lentz calls it.

For now though, little is likely to change. We will likely only see a step-change in the government’s attitude towards cyber security after it’s too late, similar to how the War on Terror was born out of the 9/11 attacks.

“Cyber physical threats are on the horizon and that will be the ‘tipping point’ when the government really becomes involved,” said Lentz.

Shaw concluded that it will take a “whole society approach” to manage the advanced persistent threat in the future.